162 lines
6.2 KiB
YAML
162 lines
6.2 KiB
YAML
# This action will push the assist-stats changes to aws
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
skip_security_checks:
|
|
description: "Skip Security checks if there is a unfixable vuln or error. Value: true/false"
|
|
required: false
|
|
default: "false"
|
|
push:
|
|
branches:
|
|
- dev
|
|
paths:
|
|
- "assist-stats/**"
|
|
- "!assist-stats/.gitignore"
|
|
- "!assist-stats/*-dev.sh"
|
|
- "!assist-stats/requirements-*.txt"
|
|
|
|
name: Build and Deploy Assist Stats ee
|
|
|
|
jobs:
|
|
deploy:
|
|
name: Deploy
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v2
|
|
with:
|
|
# We need to diff with old commit
|
|
# to see which workers got changed.
|
|
fetch-depth: 2
|
|
|
|
- uses: ./.github/composite-actions/update-keys
|
|
with:
|
|
assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }}
|
|
assist_key: ${{ secrets.ASSIST_KEY }}
|
|
domain_name: ${{ secrets.OSS_DOMAIN_NAME }}
|
|
jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }}
|
|
jwt_secret: ${{ secrets.OSS_JWT_SECRET }}
|
|
jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }}
|
|
jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }}
|
|
license_key: ${{ secrets.OSS_LICENSE_KEY }}
|
|
minio_access_key: ${{ secrets.OSS_MINIO_ACCESS_KEY }}
|
|
minio_secret_key: ${{ secrets.OSS_MINIO_SECRET_KEY }}
|
|
pg_password: ${{ secrets.OSS_PG_PASSWORD }}
|
|
registry_url: ${{ secrets.OSS_REGISTRY_URL }}
|
|
name: Update Keys
|
|
|
|
- name: Docker login
|
|
run: |
|
|
docker login ${{ secrets.OSS_REGISTRY_URL }} -u ${{ secrets.OSS_DOCKER_USERNAME }} -p "${{ secrets.OSS_REGISTRY_TOKEN }}"
|
|
|
|
- uses: azure/k8s-set-context@v1
|
|
with:
|
|
method: kubeconfig
|
|
kubeconfig: ${{ secrets.OSS_KUBECONFIG }} # Use content of kubeconfig in secret.
|
|
id: setcontext
|
|
|
|
# Caching docker images
|
|
- uses: satackey/action-docker-layer-caching@v0.0.11
|
|
# Ignore the failure of a step and avoid terminating the job.
|
|
continue-on-error: true
|
|
|
|
- name: Building and Pushing assist-stats image
|
|
id: build-image
|
|
env:
|
|
DOCKER_REPO: ${{ secrets.OSS_REGISTRY_URL }}
|
|
IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}-ee
|
|
ENVIRONMENT: staging
|
|
run: |
|
|
skip_security_checks=${{ github.event.inputs.skip_security_checks }}
|
|
cd assist-stats
|
|
PUSH_IMAGE=0 bash -x ./build.sh ee
|
|
[[ "x$skip_security_checks" == "xtrue" ]] || {
|
|
curl -L https://github.com/aquasecurity/trivy/releases/download/v0.56.2/trivy_0.56.2_Linux-64bit.tar.gz | tar -xzf - -C ./
|
|
images=("assist-stats")
|
|
for image in ${images[*]};do
|
|
./trivy image --db-repository ghcr.io/aquasecurity/trivy-db:2 --db-repository public.ecr.aws/aquasecurity/trivy-db:2 --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL" --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG
|
|
done
|
|
err_code=$?
|
|
[[ $err_code -ne 0 ]] && {
|
|
exit $err_code
|
|
}
|
|
} && {
|
|
echo "Skipping Security Checks"
|
|
}
|
|
images=("assist-stats")
|
|
for image in ${images[*]};do
|
|
docker push $DOCKER_REPO/$image:$IMAGE_TAG
|
|
done
|
|
|
|
### Enterprise code deployment
|
|
|
|
- uses: azure/k8s-set-context@v1
|
|
with:
|
|
method: kubeconfig
|
|
kubeconfig: ${{ secrets.EE_KUBECONFIG }} # Use content of kubeconfig in secret.
|
|
id: setcontextee
|
|
|
|
- uses: ./.github/composite-actions/update-keys
|
|
with:
|
|
assist_jwt_secret: ${{ secrets.ASSIST_JWT_SECRET }}
|
|
assist_key: ${{ secrets.ASSIST_KEY }}
|
|
domain_name: ${{ secrets.EE_DOMAIN_NAME }}
|
|
jwt_refresh_secret: ${{ secrets.JWT_REFRESH_SECRET }}
|
|
jwt_secret: ${{ secrets.EE_JWT_SECRET }}
|
|
jwt_spot_refresh_secret: ${{ secrets.JWT_SPOT_REFRESH_SECRET }}
|
|
jwt_spot_secret: ${{ secrets.JWT_SPOT_SECRET }}
|
|
license_key: ${{ secrets.EE_LICENSE_KEY }}
|
|
minio_access_key: ${{ secrets.EE_MINIO_ACCESS_KEY }}
|
|
minio_secret_key: ${{ secrets.EE_MINIO_SECRET_KEY }}
|
|
pg_password: ${{ secrets.EE_PG_PASSWORD }}
|
|
registry_url: ${{ secrets.OSS_REGISTRY_URL }}
|
|
name: Update Keys
|
|
|
|
- name: Deploy to kubernetes ee
|
|
run: |
|
|
cd scripts/helmcharts/
|
|
cat <<EOF>/tmp/image_override.yaml
|
|
assist-stats:
|
|
image:
|
|
# We've to strip off the -ee, as helm will append it.
|
|
tag: ${IMAGE_TAG}
|
|
EOF
|
|
|
|
export IMAGE_TAG=${IMAGE_TAG}
|
|
# Update changed image tag
|
|
yq '.utilities.apiCrons.assiststats.image.tag = strenv(IMAGE_TAG)' -i /tmp/image_override.yaml
|
|
|
|
cat /tmp/image_override.yaml
|
|
# Deploy command
|
|
mkdir -p /tmp/charts
|
|
mv openreplay/charts/{ingress-nginx,assist-stats,quickwit,connector,assist-api} /tmp/charts/
|
|
rm -rf openreplay/charts/*
|
|
mv /tmp/charts/* openreplay/charts/
|
|
helm template openreplay -n app openreplay -f vars.yaml -f /tmp/image_override.yaml --set ingress-nginx.enabled=false --set skipMigration=true --no-hooks | kubectl apply -f -
|
|
env:
|
|
DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }}
|
|
# We're not passing -ee flag, because helm will add that.
|
|
IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}
|
|
ENVIRONMENT: staging
|
|
|
|
- name: Alert slack
|
|
if: ${{ failure() }}
|
|
uses: rtCamp/action-slack-notify@v2
|
|
env:
|
|
SLACK_CHANNEL: foss
|
|
SLACK_TITLE: "Failed ${{ github.workflow }}"
|
|
SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff'
|
|
SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }}
|
|
SLACK_USERNAME: "OR Bot"
|
|
SLACK_MESSAGE: "Build failed :bomb:"
|
|
|
|
# - name: Debug Job
|
|
# # if: ${{ failure() }}
|
|
# uses: mxschmitt/action-tmate@v3
|
|
# env:
|
|
# DOCKER_REPO: ${{ secrets.EE_REGISTRY_URL }}
|
|
# IMAGE_TAG: ${{ github.sha }}-ee
|
|
# ENVIRONMENT: staging
|
|
# with:
|
|
# limit-access-to-actor: true
|